Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

Security Audit Log SM20 and usage of ID: SAP*

Former Member
0 Kudos

Dear All,

I have an issue while checking usage of SAP* ID via SM20.

System does not allow me to select "=" sign in front of the ID. In consequence I receive a log of all IDs that start with SAP....

Please advise if there is a way to get a security log of usage of SAP* ID only?

Regards,

Michal

1 ACCEPTED SOLUTION

Former Member
0 Kudos

Hello Michal,

just search for events for user SAP#*

The hash character is an escape character in such dynpros.

Regards, Uwe

7 REPLIES 7

Former Member
0 Kudos

Michal,

I don't believe there is a way to select SAP* on it's own as it will see the * as a wildcard.

However, when you have the log, you can click on the block at the top of the column "User" and select "Sort in ascending order" or "Sort in descending order". This will then put them into sequence and you can see the items that you are specifically looking for.

Hope that helps

0 Kudos

Hi Tony,

Thank you for prompt response, unfortunately I don't have "User" column that can be sorted. I need to click on single result line to enter details page that shows User information.

Best Regards,

Michal

sdipanjan
Active Contributor
0 Kudos

Hi,

Basically SM20 audit log determines any check against S_TCODE or TSTCA for audit log and the changes stored in different tables comprising usage of user ids. But as you know SAP* is not in our class and gets checked only in kernel level. So, if you want to trace the usage of SAP* please try to create a separate filter for SAP* only and select the events to be recorded for SAP* only. Also make sure that SAP* related profile parameters are in action.

regards,

Dipanjan

martin_voros
Active Contributor
0 Kudos

Hi,

as it was said it's not possible with SM20. There is a logic for handling one star in user name. But you can use report RSAU_SELECT_EVENTS intead of SM20. It gives you more option to restrict selection.

Cheers

Former Member
0 Kudos

Read the documentation in RZ11 on rsau/user_selection.

It was exactly because of SAP* that it does an exact user name check. Someone seems to have relaxed this in your system without reading the docs...

If the log records only and exactly SAP* as an existing user master record, then you might not notice it if you are hacked this way!

--> rather change the other user ID's to named users and create a basic filter for all users.

Cheers,

Julius

Former Member
0 Kudos

Hello Michal,

just search for events for user SAP#*

The hash character is an escape character in such dynpros.

Regards, Uwe

0 Kudos

Dear Uwe,

Thank you very much for your solution, it is working:).

Dear All,

Thank you for helping me with solving my issue, all your comments are very useful.

Best Regards,

Michał